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1 Introduction 

Most modern block ciphers are built using components whose crypto¬ 
graphic strength is evaluated in terms of the resistance offered to at¬ 
tacks on the whole cipher. For example, differential properties of Boolean 
functions are studied for the S-Boxes to thwart differential cryptanalysis 

mm- 

Little is known on similar properties to avoid trapdoors in the design of 
the block cipher. In [6] the authors investigate the minimal properties for 
the S-Boxes (and the mixing layer) of an AES-like cipher (more precisely, 
a translation-based cipher, or tb cipher) to thwart the trapdoor coming 
from the imprimitivity action, first noted in ra¬ 
in [8], Li observed that if V is a finite vector space over a finite field 
F p , the symmetric group Sym(V) will contain many isomorphic copies of 
the affine group AGL(V), which are its conjugates in Sym(V). So there 
are several structures (V, o) of a F p -vector space on the set V , where 
(V. o) is the abelian additive group of the vector space. Each of these 
structure will yield in general a different copy AGL(V,o) of the affine 
group within Sym(V). So, a trapdoor coming from an alternative vector 
space structure, which we call hidden sum , can be embedded in a cipher, 
whenever the permutation group generated by the round functions of the 
cipher is contained in a conjugate of AGL(V). In [5] the authors provide 
conditions on the S-Boxes of a tb cipher that avoid attacks coming from 
hidden sums. This result has been generalized to tb ciphers over any field 




in [2]. Also, in [I], the authors studied such trapdoors, characterizing a 
new class of vectorial Boolean functions, which they call anti-crooked, 
able to avoid any hidden sum. 

In the yet unpublished Ph.D thesis [Dj the author investigated some 
properties of affine groups, of a vector space over the binary field, with 
respect to a hidden sum o. In particular, he focused on affine groups which 
contain the translation group with respect to the usual sum +, and affine 
groups whom translation group is contained in AGL(V). In this paper we 
study the differential properties of maps which are affine w.r.t. a hidden 
sum. Our results are presented in Section 3, while in Section 2 we provide 
some preliminaries from previous works. Our main result, Theorem [3l 
concludes Section 3. Section 4 concludes this paper with the sketch of an 
actual attack to a cipher in which a hidden sum trapdoor is embedded. 


2 Preliminaries 

Here we give some notation and some known results that we are going 
to use along the paper. In the following, if not specified, V will be an 
n-dimensional vector space over F 2 . 

With the symbol + we refer to the usual sum over the vector space 
V, and we denote by T + , AGL(V, +) and GL(H,+), respectively, the 
translation, affine and linear groups w.r.t. +. 

We recall that a p-elementary group G acting on a set 12 is a group 
of permutations on fi such that for all g in G we have g p = Id q. 

A group G is called regular if for all a and b in f2 there exists a unique g 
in G such that g(a) = b. 

Remark 1. An elementary group acting on a vector space V = F” is obvi¬ 
ously a p-elementary group. The translation group of V is an elementary 
abelian regular group. Vice versa, we claim that if T is an elementary 
abelian regular group, there exists a vector space structure ( V ., o) such 
that T is the related translation group. In fact, from the regularity of 
T we have T = {r a |a€V} where r a is the unique map in T such that 
0 1 —y a. Then, defining the sum xoa := r a (x), it is easy to check that (V, o) 
is a commutative group, and so we can consider the group operation as 
a sum, making it an additive group without loss of generality. Moreover, 
let the multiplication of a vector by an element of F p defined by 


then it is easy to check that for all s,t € F p , and v, w € V 

s(v o w) = sv o sw, 

(s + t)v = sv o tv, 

(st)v = s(tv) 

and being T p-elementary pv = 0. Thus (V, o) is a vector space over 
F p . Observe that (V, o) and ( V, +) are isomorphic vector space (since 
\V\ < oo). 

For abelian regular subgroups of the affine group in [1| the authors 
give a description of these in terms of commutative associative algebras 
that one can impose on the vector space (V, +) or, in other words, of 
products that can be defined on V and distribute the sum +. We report 
the principal result shown in [3j. Recall that a (Jacobson) radical ring is 
a ring (V, +,•) in which every element is invertible with respect to the 
circle operation xoy = x + y + x-y, so that (V, o) is a group. The circle 
operation may induce a vector space structure on V or not. 

Theorem 1. Let F be an arbitrary field, and (V, +) a vector space of 
arbitrary dimension over F. 

There is a one-to-one correspondence between 

1) abelian regular subgroups T o/AGL(R, +), and 

2) commutative, associative ¥-algebra structures (V,+,-) that one can 
impose on the vector space structure (V, +), such that the resulting 
ring is radical. 

In this correspondence, isomorphism classes of ¥-algebras correspond 
to conjugacy classes under the action o/GL(V,+) of abelian regular sub¬ 
groups o/AGL(V,+). 

We recall that an exterior algebra over an F-vector space V is the 
F-algebra whose product is the wedge product A having the following 
properties: 

1) x A x = 0 for all x G V, 

2) x Ay = —y A x. 

The elements of the exterior algebra over V are linear combinations of 
monomials such as u, v A w, x A y A z, etc., where u, v, w, x, y, and z are 
vectors of V. 


Remark 2. From the theorem above we can note that in characteristic 
2 , algebras corresponding to elementary abelian regular subgroups of 
AGL(V, +) are exterior algebras or a quotient thereof. 

We will denote by o a the translation in T + such that x x + a. 
We will use T 0 and AGL(V, o) to denote the translation and affine group 
corresponding to a hidden sum o, that is when (V, o) is a vector space 
and so T 0 is elementary abelian and regular. 

As noted in the remark above, since T 0 is regular, for each a G V there is 
a unique map r a G T 0 such that 0 i->- o. Thus 

T 0 = {r a | a G V}. 

The relation between T 0 and AGL(V, o) is that AGL(V,o) is the nor- 
malizer of T 0 in Sym(V), that is AGL(V, o) is the largest subgroup of 
Sym(V) contaning T 0 such that T 0 is normal in it. Indeed, AGL(V,+) is 
the normalizer of T + and they are, respectively, the isomorphic images of 
AGL(V, o) and T a . With 1 y we will denote the identity map of V. 

Remark 3. If T 0 C AGL(V,+), then r a = a a n for some k G GL(V, +), 
since AGL(V, +) = GL(V, +) x T + . We will denote by n a the linear map 
k corresponding to r a . 

Let T C AGL(V, +) and define the set 

U(T) = {a \ t = a a ,r G T}. 

It is easy to check that U(T) is a subspace of V, whenever T is a 
subgroup. If T = T 0 for some operation o, then U(T 0 ) is not empty for 
the following lemma. 

Lemma 1 ({<[])• Let T + be the group of translation in AGL(V, +) and 
let T C AGL(V, +) be a regular subgroup. Then, if V is finite T + nT is 
nontrivial. 

U(T 0 ) is important in the context of our theory and its dimension 
gives fundamental information on the corresponding hidden sum. 

3 On the differential uniformity of a o-afRne map 

Any round function of a translation-based block cipher (Definition 3.1 
ED is composed by a parallel s-Box 7 , a mixing layer A and a translation 
(jfc by the round key. The map 7 must be as non-linear as possible to 


create confusion in the message. An important notion of ’’non-linearity” 
of Boolean functions is the differential uniformity. 

In this section we establish a lower bound on the differential uni¬ 
formity of the maps lying in some AGL(V, o). We will consider the two 
cases of affine group AGL(V, o) such that T 0 C AGL(V, +) and/or T + C 
AGL(V,o). In both cases in the following proofs we can consider w.l.o.g. 
maps / such that /(0) = 0. In fact in the first case we can compose / 
with Tf( o) that maps /(0) to 0 and in the second case we compose with 
<Ty(o); hi both cases we compose with an affine map. 

We recall the definition of differential uniformity. 

Definition 1. Let m,n > 1. Let f : F 2 m —» F 2 , for any a £ F 2 m and 
b £ F 2 n we define 

5 f (a, b) = |{® £ F™ | f(x + a) + f(x ) = 6}|. 

The differential uniformity of f is 

5(f) = max 

a€F 2 m ,ft€F 2 n 
a^0 

/ is said <5-differential uniform if 5 = 5(f). 

We are ready for our first result. 

Lemma 2. LetT 0 C AGL(L, +) and dim(C/ (T 0 )) = k. Then f £ AGL(V, o) 
is at least 2 k differentially uniform. 

Proof. Let a £ U(T 0 ), then 

f(x + a) + f(x) = f(x oa) + f(x) = (f(x) o /(a)) + f(x). 

So, for all f(x) £ U(T a ) we have 

(f(x) o f(a )) + f(x) = (f(x) + f(a)) + f(x) = /(a), 

that implies \{x \ f (x + a) + f (x) = f (a)}\ > 2 k . 

When T + C AGL(V,o), we can define U 0 (T + ) = {a \ a a £ T + n T 0 } 
and it is a vector subspace of (V, o). Then we obtain, analogously, the 
following lemma. 

Lemma 3. Let T + C AGL(L, o) and dim(C/ 0 (T + )) = k, as a subspace of 
(V,o). Then f £ AGL(V, o) is at least 2 k differentially uniform. 


5f(a, b). 



Recalling that given a ring R, r € R is called nilpotent if there exists 
an integer n such that r n = 0, while r £ R is called unipotent if and only 
if r — 1 is nilpotent, we have the following: 

Lemma 4. Let T 0 C AGL(V,+). Then for each a € V, n a has order 2 
and it is unipotent. 

Proof. We know that r a has order 2, because T a is elementary. Then, 
r 2 = ly implies r a (a) = 0, and in particular K a (a) = a. So 

x = r 2 (x) = K a (K a (x) + a) + a = n 2 a {x) + a + a = k 2 (x) for all x € V. 

That implies (n a — ly) 2 = n 2 a — \y = 0. 

Remark f. The lemma above can be easily generalized to any character¬ 
istic p, in this case the order of n a would be p. 

Remark 5. It is well known that a square matrix is unipotent if and only 
if its characteristic polynomial P(t) is a power of t — 1, i.e. it has a unique 
eigenvalue equals to 1 . 

We recall the following definition. 


Definition 2. Let A he an n x n matrix over a field F, with A € F along 
the main diagonal and 1 along the diagonal above it, that is 


A 1 ... 0 

0 A 1 ... 0 

0 ... A 


Then A is called the n x n elementary Jordan matrix or Jordan block of 
size n. 


Definition 3. A matrix A defined over a field F is said to be in Jordan 
canonical form if A is block-diagonal where each block is a Jordan block 
defined over F. 

The following theorem is well-known (see for instance EH)- 

Theorem 2. Let A be an n x n matrix over a field F such that any 
eigenvalue of A is contained in F, then there exists a matrix J defined 
over F, which is in Jordan canonical form and similar to A. 




Lemma 5. Let T a C AGL(V, +). Then for each a G V, K a fixes at least 
2^“ 2 - -!" 1 " 1 elements of V. 

Proof. From Lemma 01 n a has a unique eigenvalue equals to 1 G IF 2 , then 
from Theorem [2] there exists a matrix over F 2 in the Jordan form similar 
to n a - Thus, n a = AJ A -1 , for some A, J G GL(V, +) with 


1 

0 1 02 -.. 


J = 


0 

0 


and J 2 


0 ... 1 cx n —\ 

0 ... 1 


1 0 a i<U2 ••• 0 

01 0 0203 ... 0 

0 . . . 1 0 CX n —20t n — \ 

0 ... 1 0 

0 ... 1 


where a* G F 2 for 1 < i < n — 1. 

From the fact that J is conjugated to K a we have J 2 = ly, and that 
implies aiOLi+\ = 0 for all 1 < i < n — 2. 

Note that if on = 1 then a,_i and at + 1 have to be equal to 0. Thus we 
have that when n is even at most Oj’s can be equal to 1. Then at least 
^ elements of the canonical basis are fixed by J. When n is odd we have 
at most afs equal to 1 and then at least + 1 elements of the 
canonical basis are fixed by J. Our claim follows from the fact that n a is 
conjugated to J. 


In terms of algebras we have the following corollary. 

Corollary 1. Let T a C AGL(V, +), and let (!/,+,-) be the associated 
algebra of Theorem [7] Then for each a G V, a - x is equal to 0 for at least 
2^-“s - -!" 1 " 1 elements x ofV. 


Remark 6. The bound on the number of elements fixed by n a given in 
Lemma [o] is tight. In fact let (V, +, •) be the exterior algebra over a vector 
space of dimension three, spanned by ei,e 2 ,e 3 . That is, V has basis 


ei, e 2 , e 3 , e\ A e 2 , e\ A e 3 , e 2 A e 3 , ei A e 2 A e 3 . 

We have that ei • x = 0 for all x G E = (e\,e\ A e 2 , e\ A e 3 , ei A e 2 A e 3 ). 
So, for all x G E 


x o e\ = x + e\ + x ■ e\ = x + e\. 

Vice versa if x o ei = x + e\ then x G E. The size of E is 2 4 . 






Lemma 6. LetT 0 C AGL(V,+). Then f E AGL(V, o) is atleast2^ 2 J +1 
differentially uniform. 

Proof. From Lemma [T] there exists a E U(T 0 ) different from zero. So 
f(x + a) + f(x) = /(x o a) + f(x) = (f(x) o f(a)) + f(x) = 

(/(*) + /(“) + /(«) ' /(*)) + /(®) 

Now, from Corollary [T] we have that f(a) ■ f(x) = 0 for at least 2 L 2 J + 1 
elements of V. 

This implies \{x \ f(x + a) + f(x) = /(a)}| > 

Lemma 7. LetT + C AGL(F, o). Then f E AGL(V, o) is at least 2 ^“ 2 -J +1 
differentially uniform. 

Proof. Note that Theorem[l] Lemma|T|and Corollary [T] hold also inverting 
the operation o and +. Then, there exists a € V different from zero such 
that x + a = roa for all x E V. Considering the algebra (V, o, •) such that 
x + y = x o y o x ■ y for all x, y E V, we have 

f(x + a) + f(x) = f(x oa) + f{x) = (f(x) o /(a)) + f{x) = 

(fix) o /(a)) o f(x) o f(x) ■ (f(x) o /(a)) = 
f(x) o /(a) o f(x) o f(x) ■ f(x) o f(x) ■ f(a). 

From Remark [2j we have y 2 = 0 for all y E V, and from Corollary |T] 
f(x) ■ f(a) = 0 for at least 2 L _ 2 _ -I +1 elements. Thus 

|{x | f(x + a) + f(x) = /(a)}| > 2 LVJ+ 1 . 

Summarizing our results in this section, especially Lemma [21 El El El 
we obtain our theorem on the claimed differentiability. 

Theorem 3. Let T a C AGL(1/, +) (T + C AGL(V, o), respectively). Let 
f E AGL(V,o). Then 5(f) > 2 m , where 


- m = maxjL^^J + 1, dim(C/(T 0 ))} 

— (m = max{ + 1, dim(f7 0 (T+))}, respectively). 

By a computer check we obtain the following fact. 

Fact 1 Let V = F 2 n with n = 3,4, 5. IfT+ C AGL(V, o), let f E AGL(F, o). 
Then 5(f) > 2 n ~ 1 '. 


Remark 7. For n = 7, 8 there exist examples of functions that are affine 
w.r.t. a hidden sum o satisfying T+ C AGL(V,o) and 5(f) = 2 n ~ 2 . The 
existence of these permutations and Fact |T] suggest that probably there 
may exist bounds which are sharper than those in Theorem [3j 

Remark 8. Note that if we consider / € Sym(F 2 ) with 6(f) = 4 then 
the parallel map (/, /) acting on F 2 8 is 2 6 differentially uniform. Thus the 
differential uniformity may not guarantee, alone, security from a hidden 
sum trapdoor! 


4 A block cipher with a hidden sum 


In this section we give an example, similar to that described in [I], of a 
translation based block cipher in a small dimension, in which it is possible 
to embed a hidden-sum trapdoor. 

Let m = 3, n = 2, then d = 6 and we have the message space V = F 2 . 
The mixing layer of our toy cipher is given by the matrix 


001110 

001011 

000001 

101001 

111001 

001000 


Note that A is a proper mixing layer (see Definition 3.2 0 ). The 
bricklayer transformation 7 = (71,72) of our toy cipher is given by two 
identical S-boxes 


71 = 72 = a 4 x 6 + a 3 x 4 + ax 3 + a 3 x 2 + x + a 6 

where a is a primitive element of F 2 3 such that a 3 = a + 1 . 

The S-box 71 is 4-differential uniform. 

Consider the hidden sum o over Vi = V 2 = (F 2) 3 induced by the 
elementary abelian regular group T 0 = (ti, 72 , 73 ), where 



' 100 ' 


'1 0 r 


' 100 ' 

T\(x) = X■ 

0 1 1 

00 1 

+ ei, r 2 (x) = x- 

0 1 0 

00 1 

+ e 2 , t 3 (x) = x■ 

0 1 0 

00 1 


with e\ = (1,0,0), e 2 = (0,1,0) and e 3 = (0,0,1). In other words, Ti(x) = 
x o a for any 1 < i < 3. 










Obviously T = T a x T a is an elementary abelian group inducing the hidden 
sum (xi, x 2 ) o' (yi, 2/2) = (xi o 2/1, X2 o 2/2) on V = 1 1 x V2. By a computer 
check it results (T+,A7) C AGL(V, o'), and o' is a hidden sum for our 
toy cipher. It remains to verify whether it is possible to use it to attack 
the toy cipher with an attack that costs less than brute force. We are 
considering a cipher where the number of rounds is so large to make any 
classical attack useless (such as differential cryptanalysis) and the key 
scheduling offer no weakness. Therefore, the hidden sum will actually be 
essential to break the cipher only if the attack that we build will cost 
significantly less than 64 encryptions, considering that the key space is 
F6. 

Remark 9 . T 0 is generated by the translations corresponding to ei, e2 and 
e 3 , which implies that the vectors ei,e2,e3 form a basis for (Vi,o). Let 
x = (xi,X2,x$) G Vi, from (JT]) we can simply write 

n(*) = ( x 1 + 1,2:2, £2 + *3), 72(*) = (*1,2:2 + l,*i T *3), 73(2:) = (*1, *2, *3 + lf- 

Let us write x as a linear combination of ei, e2 and e3 w.r.t. to the 
sum o, i.e. x = Aiei o A2e2 o Ase3. We have that Ai = xi, X2 = x 2 and 
A 3 = AiA 2 + x 3 . So 


(xi,x 2 ,x 3 ) = x = (Ai, A 2 , AiA 2 + A 3 ) 


( 2 ) 


Thanks to the previous remark we can find the coefficients of a vec¬ 
tor v' = ( v , u) € V with respect to o' by using the following algorithm 
separately on the two bricks of v'. 

Algorithm 1 
Input: vector x £ F| 

Output: coefficients Aj, A 2 and A3. 

[1] Ai xi; 

[2] A 2 x 2 ; 

[ 3 ] A 3 <r- AiA 2 + x 3 ; 
return Ai, A 2 , A3. 

Let v' = (y,u) 6 V, we write 

v = X\ei o A^e 2 o X^e^ and u = A“ei o A^e 2 o X^e3. 


We denote by 


\ v '\ = [A?, A2, A3, A“, A2, A3] 


the vector with the coefficients obtained from the bricks of v' using Algo¬ 
rithm m 


Let (p = ipk be the encryption function, with a given unknown ses¬ 
sion key k. We want to mount two attacks by computing the matrix M 
and the translation vector t defining £ AGL(V,o'), so t = <p(0) and 
[<p(x)\ = [x] -M+[t\. 

Assume we can call the encryption oracle. Then M can be computed from 
the 7 ciphertexts </?(0), ..., ip(e' 6 ) (where e' x = (1,0,0,0, 0,0),... , e' 6 = 

(0,0,0,0,0,1)), since the ([^(e()] + [f])’s represent the matrix rows. In 
other words, we will have 

W)] = [«'] • M + [t], [p-\v')\ = ([«'] + [t]) • M-\ 

for all v' £ V, where the product row by column is the standard scalar 
product. The knowledge of M, t and M -1 provides a global deduction (re¬ 
construction), since it becomes trivial to encrypt and decrypt. In fact, to 
encrypt v it is enough to compute [u], applying [u] i-A [u] ■ M + [t] = [re] and 
then pass from [re] to the standard representation w via ©• Analogously 
to decrypt. However, following p], we have an alternative depending on 
how we compute M -1 , resulting in one attack with 7 encryptions and 
another with 7 encryptions and 7 decryptions. Both are much faster than 
brute-force searching in the keyspace. 
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